Attacks/Breaches

2/11/2015
04:51 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Microsoft Fix For Critical Active Directory Bug A Year In The Making

This critical Active Directory vuln along with two other particularly 'nasty' critical flaws have experts pushing organizations to pick up patching pace.

With a bundle of updates spread across nine bulletins, yesterday's Microsoft Patch Tuesday had the usual mix of critical and important vulnerabilities addressed. But on fix in particular stood out from the normal stock, as Microsoft rolled out an architectural revamp for JASBUG, a critical vulnerability that puts organizations using Active Directory at a big risk for remote exploitation that could put tens of millions of machines at risk of privilege escalation if left unpatched. The vulnerability itself is a root-level problem impacting core parts of Windows, which required serious engineering revamps from Microsoft that ultimately were a year in the making.

Put together with two other critical vulnerabilities fixed yesterday—one a cumulative update for Internet Explorer and the other problem in Kernel-Mode Driver —the update has some industry experts urging organizations to consider speeding up their update windows. This urgency highlights the difficulties some organizations will face now that Microsoft has ditched its Advance Notification Service.

"Now in month two of no advance notification from Microsoft and the change up in the exploitability index, it is quite challenging to determine exactly what Microsoft recommends for deployment and how best to get that done," says Russ Ernst, director of product management for Lumension. "It’s important IT know their environments well and weigh the updates according to severity and attack likelihood. Unfortunately, the 3 critical bulletins are nasty so it’s important to pay close attention."

As organizations sped to fix the issues in this round of fixes, they've not been met by smooth waters. According to early reports yesterday from SANS Internet Storm Center, there are a number of organizations who have been experiencing deployment problems, particularly around a patch for Visual Studio.

For its part, JASBUG is a vulnerability in group policy that "could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network," according to Microsoft's bulletin on the flaw. The vulnerability is a design flaw in the operating system, hence the extended time necessary to address it. Discovered by Jeff Schmidt, founder of JAS Global Advisors, the flaw required Microsoft to fix to fix how domain-configured systems connect to domain controllers.

"Many – if not most – information security problems have roots in identification and authentication subtleties," he wrote in a blog about the bug. "When software designers, implementers, and/or users don’t get identification and authentication right, things usually go awry.

According to Johannes Ullrich of SANS ISC, this "is a 'must apply' patch for any system traveling and connecting to untrusted networks."

Meanwhile, one of the other critical bulletins is for another flaw that could be used to commit remote code execution on most Windows versions via Kernel-Mode Driver. And the third critical problem was a big one for Internet Explorer, addressing over 41 CVEs. Included in this patch is the fix for ASLR bypass highlighted by iSIGHT research yesterday in its discovery announcement about Chinese-led watering hole attacks against Fortune.com.

"Workstations that frequently browse the internet are most at risk from these vulnerabilities. Due to the Enhanced Security Configuration mode that is enabled by default in server operating systems, servers are slightly more protected from some of these flaws," says Ryan Krause, vulnerability audit development manager for BeyondTrust. "Microsoft’s EMET software, when installed and configured to work with IE, also offers additional protection from many of these vulnerabilities. One additional note is that this update will also provide IE 11 users with additional security measures by disabling SSL 3.0 fallback attempts by default."

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/12/2015 | 8:22:53 AM
If it functions, don't patch.....WRONG!
I feel that many organizations exalt functionality of their applications above all else. As many times these applications are what bring in the revenue. Fear of breaking this dynamic halts many discussions of patching. However, if you have an efficient change management and patching process, then you will find patching to be effective, not only a security aspect but from a functionality perspective. Properly testing apps and patches before pushing into production will ensure that there is no downtime for apps, frameworks, and plug-ins during business hours and will decrease the overhead for letting potential updates stack.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19007
PUBLISHED: 2018-12-14
In Geutebrueck GmbH E2 Camera Series versions prior to 1.12.0.25 the DDNS configuration (in the Network Configuration panel) is vulnerable to an OS system command injection as root.
CVE-2018-20147
PUBLISHED: 2018-12-14
In WordPress versions before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
CVE-2018-20148
PUBLISHED: 2018-12-14
In WordPress versions before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata.
CVE-2018-20149
PUBLISHED: 2018-12-14
In WordPress versions before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS.
CVE-2018-20150
PUBLISHED: 2018-12-14
In WordPress versions before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.